Skip to main content

Azure AD Identity Protection deep dive

One of the advantages of Microsoft having many customers using its services is that Microsoft can leverage data from those customers and apply some real fancy Machine Learning on that data, coming from Azure AD, Microsoft Accounts and even Xbox services.

Based on all that data the Machine Learning capabilities are able to identify identity risks. Based on the risk, automatic investigation, remediation and sharing of that data with other solutions able to leverage it is possible. The outcome of risk is expressed as either High, Medium, Low or No Risk. This outcome can later be used to define policies.

By leveraging Azure AD Identity Protection you are able to use the signals provided by Microsoft and trigger “actions” – the signals can also be leveraged in your conditional access policies.

This article covers the following topics:

Disclaimer: This post reflects the status of Azure AD Identity Protection as of April 7th 2020. Functionality may change, even right after this post has been published.

Read More
AzureAD, Conditional Access, Identity Protection, Security, , , ,

Microsoft deprecates Conditional Access baseline policies in favour of Security Defaults, here is what you need to know and do

Last week, Microsoft announced that the Azure AD conditional access baseline policies will not make it out of their current preview status. The functionality of the baseline policies will be made in available in a new feature called “Security Defaults”, Microsoft will remove the baseline policies on February 29th, so if you are using them you need to take action in order to make sure to keep their functionality in place. Here is what you need to know.

I’ve discussed the baseline policies in part 5 of my blogpost series “Conditional Access Demystified“, while they provided a welcome addition, one of the main disadvantages of the baseline policies in its current preview form was that there was no option to exclude accounts from the policy, which was in contradiction with the best practice for break glass accounts and therefore made the policies not usable in some scenario’s.

Read More
AzureAD, Conditional Access, ,

Report-only mode, and some more handy reporting functionality for Conditional Access and Azure AD

During its annual Microsoft Ignite 2019 conference this week, Microsoft announced a new feature for Conditional Access called Report-Only mode in preview.

So, what is Report-only mode?

Report-Only mode is a new option within a Conditional Access policy. Besides the option to turn the conditional access policy on or off, the option to Report-only has been added.

New Report-only option
Read More
AzureAD, Conditional Access,

Extending Conditional Access to Microsoft Cloud App Security using Conditional Access App Control

In my blog article series on Conditional Access Demystied I mentioned that Conditional Access can be used to route sessions toward Microsoft Cloud App Security (MCAS). In this article I will go into more detail on what MCAS is, and how to setup Conditional Access App Control.

Disclaimer: This article discusses the full option MCAS product, there are some other flavors providing partial functionality like Office 365 Cloud App Security and Cloud App Discovery (CAD). For information about licensing, see the Microsoft Cloud App Security licensing datasheet.

What is Microsoft Cloud App Security (MCAS)?

Read More
AzureAD, Conditional Access, , ,

Conditional Access demystified, part 8: Resources and further references

Now available: May 2020 update of the Conditional Access Demystified Whitepaper, Workflow cheat sheet, Implementation workflow and Documentation spreadsheet

This article is the last part of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs

In the last part of this series I will summarize some of the sources I used for writing this series of articles.

Read More
AzureAD, Conditional Access, Overview, , , ,

Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs

Now available: May 2020 update of the Conditional Access Demystified Whitepaper, Workflow cheat sheet, Implementation workflow and Documentation spreadsheet

This article is part 7 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 8: Resources and further references

When you want to integrate other products into your Conditional Access environment you can use “Custom controls” to include products from other vendors into your Conditional Access conditions. If a custom control is used the browser is redirected to the external service, performs any required authentication or validation activities, and is then redirected back to Azure Active Directory. If the user was successfully authenticated or validated, the user continues in the Conditional Access flow. More information and some samples can be found here: Azure AD + 3rd party MFA = Azure AD Custom Controls – https://blogs.technet.microsoft.com/cbernier/2017/10/16/azure-ad-3rd-party-mfa-azure-ad-custom-controls/. This feature is still in preview but very promising for 3rd party vendors who want to integrate with Conditional Access.

Read More
AzureAD, Conditional Access, Overview, , , ,

Conditional Access demystified, part 6: Troubleshooting Conditional Access

Now available: May 2020 update of the Conditional Access Demystified Whitepaper, Workflow cheat sheet, Implementation workflow and Documentation spreadsheet

This article is part 6 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

In this part of the series we will go into more detail on where we can find information which can help us to troubleshoot Conditional Access policies.

Read More
AzureAD, Conditional Access, Overview, , , ,

Conditional Access demystified, part 5: Implementing Conditional Access

Now available: May 2020 update of the Conditional Access Demystified Whitepaper, Workflow cheat sheet, Implementation workflow and Documentation spreadsheet

This article is part 5 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

Before you start implementing your Conditional Access policies you should define an implementation strategy, some things to consider are:

  1. Make sure that Modern Authentication is enabled for Exchange Online (EXO) and Skype for Business Online (SfBO), SharePoint online has modern authentication enabled out of the box
  2. Create 2 break glass accounts, these accounts, which are global administrator should have complex passwords and will be excluded from any conditional access policy created and must have MFA disabled (or either one of two per account). More information about creating break glass accounts can be found here: Manage emergency access accounts in Azure AD – https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access. Also keep in mind that you might want to change the default account settings for the Break Glass accounts using PowerShell: https://docs.microsoft.com/en-us/azure/security/azure-ad-secure-steps#step-2—reduce-your-attack-surface
  3. For each conditional access policy created, we will create an exclusion group, so that we can deal with exceptions in our environment. These exception groups will be setup with Access review functionality (if available) to make sure that the membership of these groups are evaluated on a regular basis.
Read More
AzureAD, Conditional Access, Overview, , ,

Conditional Access demystified, part 4: Designing a Conditional Access strategy

Now available: May 2020 update of the Conditional Access Demystified Whitepaper, Workflow cheat sheet, Implementation workflow and Documentation spreadsheet

This article is part 4 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 3: How does Conditional Access work?
Conditional Access demystified, part 5: Implementing Conditional Access
Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

When designing a Conditional Access strategy for a customer we first need to start with an inventory of the environment, in the most ideal situation you would design and implement conditional access in a green field scenario, but I for sure never had that luxury before so it’s better to assume that the customer is already using cloud apps and wants to implement conditional access as an security measure.

Read More
AzureAD, Conditional Access, Overview, , , ,

Conditional Access demystified, part 3: How does Conditional Access work?

Now available: May 2020 update of the Conditional Access Demystified Whitepaper, Workflow cheat sheet, Implementation workflow and Documentation spreadsheet

This article is part 3 of a series, for which the following articles are available:

Conditional Access demystified, part 1: Introduction
Conditional Access demystified, part 2: What is Conditional Access?
Conditional Access demystified, part 4: Designing a Conditional Access strategy
Conditional Access demystified, part 5: Implementing Conditional Access

Conditional Access demystified, part 6: Troubleshooting Conditional Access
Conditional Access demystified, part 7: Modifying Conditional Access to suit your special needs
Conditional Access demystified, part 8: Resources and further references

Microsoft explains Conditional Access in the following way. Conditional Access consists of access scenario’s called Conditional Access policies. An Conditional Access policy follows the following pattern:

When this happens, then to this

“When this happens” defines the reason for triggering your policy. This reason is characterized by a group of conditions that have been satisfied. With “Then do this” you define how users can access your cloud apps.

Technically this is translated to Conditions (When this happens) and Access controls (Then do this)

Conditional Access policy
Read More
AzureAD, Conditional Access, Overview, , , ,